da17f2a35db80b419584e44cdf0613ea0f1cdbdedaf21d468a98386c431779b0

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 13:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
Size

204KB
MD5

ae683b6f6839a48294f88155f7c00eb8
SHA1

d83fe38b66789181d53bb8ac5f931592aec7c911
SHA256

da17f2a35db80b419584e44cdf0613ea0f1cdbdedaf21d468a98386c431779b0
SHA512

02c7848793fe99ec1d2bce18f374569fa217284d2d1b4e874a4680889a9c820501f0240f2d260fb9dcc1af7ab420eefcda1abed8088249df324b33db7ab94fe7
SSDEEP

1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015c49-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001227e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f3-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f3-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f3-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F438D8-884B-4559-B7B2-31DDBF6A963B}\stubpath = "C:\\Windows\\{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe"	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}\stubpath = "C:\\Windows\\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe"	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD845F5D-E00A-4235-89A0-8E748A0A1237}	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989CCA68-7737-4cf9-A992-851C4F5DD920}	{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}\stubpath = "C:\\Windows\\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe"	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F438D8-884B-4559-B7B2-31DDBF6A963B}	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}\stubpath = "C:\\Windows\\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe"	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD845F5D-E00A-4235-89A0-8E748A0A1237}\stubpath = "C:\\Windows\\{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe"	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989CCA68-7737-4cf9-A992-851C4F5DD920}\stubpath = "C:\\Windows\\{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe"	{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}	{972A82B4-B38F-4d09-B0F2-949993949C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}\stubpath = "C:\\Windows\\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe"	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}\stubpath = "C:\\Windows\\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe"	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883CA6D4-5897-432f-82A2-7562AD2B657A}	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883CA6D4-5897-432f-82A2-7562AD2B657A}\stubpath = "C:\\Windows\\{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe"	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{972A82B4-B38F-4d09-B0F2-949993949C57}	{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{972A82B4-B38F-4d09-B0F2-949993949C57}\stubpath = "C:\\Windows\\{972A82B4-B38F-4d09-B0F2-949993949C57}.exe"	{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}\stubpath = "C:\\Windows\\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe"	{972A82B4-B38F-4d09-B0F2-949993949C57}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
596	{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
1492	{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
2252	{972A82B4-B38F-4d09-B0F2-949993949C57}.exe
2320	{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
File created	C:\Windows\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
File created	C:\Windows\{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe	{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
File created	C:\Windows\{972A82B4-B38F-4d09-B0F2-949993949C57}.exe	{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
File created	C:\Windows\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe	{972A82B4-B38F-4d09-B0F2-949993949C57}.exe
File created	C:\Windows\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
File created	C:\Windows\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
File created	C:\Windows\{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
File created	C:\Windows\{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
File created	C:\Windows\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
File created	C:\Windows\{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
Token: SeIncBasePriorityPrivilege	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
Token: SeIncBasePriorityPrivilege	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
Token: SeIncBasePriorityPrivilege	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
Token: SeIncBasePriorityPrivilege	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
Token: SeIncBasePriorityPrivilege	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
Token: SeIncBasePriorityPrivilege	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
Token: SeIncBasePriorityPrivilege	596	{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
Token: SeIncBasePriorityPrivilege	1492	{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
Token: SeIncBasePriorityPrivilege	2252	{972A82B4-B38F-4d09-B0F2-949993949C57}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3020	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	28
PID 3060 wrote to memory of 3020	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	28
PID 3060 wrote to memory of 3020	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	28
PID 3060 wrote to memory of 3020	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	28
PID 3060 wrote to memory of 2104	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	29
PID 3060 wrote to memory of 2104	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	29
PID 3060 wrote to memory of 2104	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	29
PID 3060 wrote to memory of 2104	3060	2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe	29
PID 3020 wrote to memory of 2564	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	30
PID 3020 wrote to memory of 2564	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	30
PID 3020 wrote to memory of 2564	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	30
PID 3020 wrote to memory of 2564	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	30
PID 3020 wrote to memory of 2240	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	31
PID 3020 wrote to memory of 2240	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	31
PID 3020 wrote to memory of 2240	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	31
PID 3020 wrote to memory of 2240	3020	{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe	31
PID 2564 wrote to memory of 2428	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	33
PID 2564 wrote to memory of 2428	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	33
PID 2564 wrote to memory of 2428	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	33
PID 2564 wrote to memory of 2428	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	33
PID 2564 wrote to memory of 2572	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	34
PID 2564 wrote to memory of 2572	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	34
PID 2564 wrote to memory of 2572	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	34
PID 2564 wrote to memory of 2572	2564	{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe	34
PID 2428 wrote to memory of 2448	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	36
PID 2428 wrote to memory of 2448	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	36
PID 2428 wrote to memory of 2448	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	36
PID 2428 wrote to memory of 2448	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	36
PID 2428 wrote to memory of 640	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	37
PID 2428 wrote to memory of 640	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	37
PID 2428 wrote to memory of 640	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	37
PID 2428 wrote to memory of 640	2428	{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe	37
PID 2448 wrote to memory of 2784	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	38
PID 2448 wrote to memory of 2784	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	38
PID 2448 wrote to memory of 2784	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	38
PID 2448 wrote to memory of 2784	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	38
PID 2448 wrote to memory of 2392	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	39
PID 2448 wrote to memory of 2392	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	39
PID 2448 wrote to memory of 2392	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	39
PID 2448 wrote to memory of 2392	2448	{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe	39
PID 2784 wrote to memory of 2136	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	40
PID 2784 wrote to memory of 2136	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	40
PID 2784 wrote to memory of 2136	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	40
PID 2784 wrote to memory of 2136	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	40
PID 2784 wrote to memory of 2816	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	41
PID 2784 wrote to memory of 2816	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	41
PID 2784 wrote to memory of 2816	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	41
PID 2784 wrote to memory of 2816	2784	{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe	41
PID 2136 wrote to memory of 2672	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	42
PID 2136 wrote to memory of 2672	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	42
PID 2136 wrote to memory of 2672	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	42
PID 2136 wrote to memory of 2672	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	42
PID 2136 wrote to memory of 652	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	43
PID 2136 wrote to memory of 652	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	43
PID 2136 wrote to memory of 652	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	43
PID 2136 wrote to memory of 652	2136	{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe	43
PID 2672 wrote to memory of 596	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	44
PID 2672 wrote to memory of 596	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	44
PID 2672 wrote to memory of 596	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	44
PID 2672 wrote to memory of 596	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	44
PID 2672 wrote to memory of 2712	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	45
PID 2672 wrote to memory of 2712	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	45
PID 2672 wrote to memory of 2712	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	45
PID 2672 wrote to memory of 2712	2672	{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_ae683b6f6839a48294f88155f7c00eb8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
  C:\Windows\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
    C:\Windows\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
      C:\Windows\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
        
        C:\Windows\{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
        
        C:\Windows\{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
        
        C:\Windows\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
        
        C:\Windows\{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
        
        C:\Windows\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
        
        C:\Windows\{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{972A82B4-B38F-4d09-B0F2-949993949C57}.exe
        
        C:\Windows\{972A82B4-B38F-4d09-B0F2-949993949C57}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe
        
        C:\Windows\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{972A8~1.EXE > nul
        12⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{989CC~1.EXE > nul
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5AA~1.EXE > nul
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD845~1.EXE > nul
        9⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF889~1.EXE > nul
        8⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{883CA~1.EXE > nul
        7⤵
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68F43~1.EXE > nul
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90258~1.EXE > nul
        5⤵
        
        PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46CC4~1.EXE > nul
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E3E3~1.EXE > nul
    3⤵
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{46CC43C6-52CE-4d40-AB15-7215BF7CA824}.exe

Filesize
204KB

MD5
b82bdccad6ed21b57e9237929d7d0792

SHA1
cece749ddc8cd0233aeab536e4b39a96bb980229

SHA256
9ea0f74e456b00433d30255499c8505d2e1bde5f7c09d5f1f1d35e27addcb320

SHA512
8c3fdf9e8a1a7aebcd3267b016d32e5d3964a117af4bec0d22ef48f4be5ab0f09fb8dc34489364a5ee981ebf445f9fc7fa33f172c31be00eeb093af33385a300

Download Submit
C:\Windows\{68F438D8-884B-4559-B7B2-31DDBF6A963B}.exe

Filesize
204KB

MD5
133ed151ef02a1766e6053074ce4f625

SHA1
443be3cab4592dc184d214c11b5fc7f806607267

SHA256
95a74e4ccf9971c43858244fa75dd7cc821015b004d05d8888aa3ead6346cf55

SHA512
c07887924f750b60cc3ff0d9e8e587175c9f391253216abef0e6010432629869fbc3f3a19dd78ac6c3028f7c5be282f5002e226837089b20f0fc0ef53322d9de

Download Submit
C:\Windows\{7E3E3B4F-F186-43a2-99E1-9C856DC0EC4B}.exe

Filesize
204KB

MD5
96dc3392c70873a519c3bf9ebf767223

SHA1
8bbe7827716030922bc1ac1dc05b30295423d5cf

SHA256
07aec11086478b4dae7d8bc3cf2ef719245fc6baa56c96b5713508bb932953b5

SHA512
dde2bf79dcc5ebf3c5f8d0fcdbeb4a2f0e0aedac01466f5d39e5155601e0a8fec0bd28f47a321cd0bfbe5fc5ccecae941e281b0581b747b7d602c13547cf0491

Download Submit
C:\Windows\{883CA6D4-5897-432f-82A2-7562AD2B657A}.exe

Filesize
204KB

MD5
20f657948e09b6406c2f0136e18aeb06

SHA1
0f944d13ac25634161c1cba47bb6a2010dfe8cc9

SHA256
bf1e9ec58dcb13e5f525c491931363919a221f5851ddd65a13854396a9254e94

SHA512
4b5099d95437a12640993b0b596277e7498bbdb485aa6f8ff2250052f142b6563acbb22fc2ba177643e4a19aac6530550d83b67c16141f01c7a3e03402e2f6dc

Download Submit
C:\Windows\{90258E38-B059-4d11-9F76-6EEB9E1BDDCA}.exe

Filesize
204KB

MD5
52614deb17d80db90227346aec25dcf2

SHA1
16ff710721959fdd1693e0d6d08ca25cdfb7198b

SHA256
0cf4f471e7d4f00795aefe6135e11e7880b5133dcf93ae6ad2614ae1827bab7e

SHA512
e24c0e183f11cc2065301c272ed5b4f9cbecfdc5d549c071c5ac08d2756fbee4c4682de8d4a77e8bb2854b826d62325b895545d0a7957c432aa40d92cf28c415

Download Submit
C:\Windows\{931E85FF-7A46-4984-9CE8-70C9A0901F8C}.exe

Filesize
204KB

MD5
0866e30d142a9241a30428f1a0b42363

SHA1
5cac4dc18a1b0ddd97475d5def0949728bf556c9

SHA256
363a1beb401e8bd1cf092899fb89232612cd738b2f4c38443977b87c85c2f5ea

SHA512
574c7385a77e7560c381f9377098d12e6e8f15dd9543728bb2f05830746f4ca3a7cc5f89f4f1985b41c2f95a6ed53937b92e8793e56dbe6a12bc029426e5aefa

Download Submit
C:\Windows\{972A82B4-B38F-4d09-B0F2-949993949C57}.exe

Filesize
204KB

MD5
604352dfbe9979233fe183f6a859dd01

SHA1
9ffa8b7853989cc3910ee733ed9bcd773ec402fd

SHA256
31aaad5c2871d99937dc6dabed029967b1b1ca9a2975522a79877d3412b58fe0

SHA512
b3752f0c88fe12074575c8379d5e3eb6563b35265ef6df9f8d15708c45c1a6fedab0e14ef08b9c90e7026914a9dcac4907a7ba6db86911bf0842da68da34a38a

Download Submit
C:\Windows\{989CCA68-7737-4cf9-A992-851C4F5DD920}.exe

Filesize
204KB

MD5
3be2490fe0f9a4afd61c8d38444951f0

SHA1
e505e45c3cf9bbbef9e7032798345da54f74e76e

SHA256
b6a46d6e992a61295ea82aed83bf495c31bc8b4e98378c04b1a1793aa685488e

SHA512
b72ac235b3fc61e485666d815e9ecb2e81f53d0f1e8bbe229aa00bfd4f1b27d26277cc2ce869a0764ac22711a65d7b5de539874051df8f985f2984fa502e10b3

Download Submit
C:\Windows\{DD5AA77A-734D-4f8b-853C-8F6B668749CE}.exe

Filesize
204KB

MD5
b860735ef1b785011561dd0fcf8eb3dd

SHA1
565c9ec49aef88f87aa8a4118af57811e634fbb9

SHA256
e086093d96b2e6d9dcb7e7b67cb8d298212ce561c4cd25fea5a4cb72ea10aa0f

SHA512
302126c75486c7a6e81deb7f6622cfc4db1d374407d0a4c282fb6714623a38d156fa86a8a1a1642adaf9084b2c4a644204feb123e55648c40d32f5d859dc635e

Download Submit
C:\Windows\{DD845F5D-E00A-4235-89A0-8E748A0A1237}.exe

Filesize
204KB

MD5
33f9ec6e686621e839d5586e8fa458ac

SHA1
0a69c2deb5e336e340496b89bea87c794605ac86

SHA256
02a50087e7e580daea1a8bd515886b5d5972de1ffe1deaee843e5d898bd0245a

SHA512
1be748f209701e80f1ec28397fe202b801d0f852c0893237afb7052865cc6c1a336f6eae057f0451af672886cd17b394c7a80cfb868c98ad6e7388f734b0d738

Download Submit
C:\Windows\{EF889FDA-4A3F-4f9d-B2FD-74DD23BD02CF}.exe

Filesize
204KB

MD5
1e646c9760e1818c361b1abf45c23185

SHA1
fbb3af347976356c487a97133441f0fd921d01df

SHA256
55c1e805f14a9720c5247abae55d14d7b008cf2756bfce40e7755b7a4754b675

SHA512
1f46d1d7cf937e07d5e3e3d47428a6c2ccf5c90a7da9c68585960fbf96f519f1b9030c7286a0f80b6acdc8eae4959f8be1cf6322fb2bd572779c2e8cd5abe746

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads